[j-nsp] Forwarding IPv6 link-local packets?

Harry Reynolds harry at juniper.net
Thu Apr 26 18:31:43 EDT 2012


Update. The better pr is 556860, which shows closed as not fixed. PR 573100 is considered a new feature and cannot be made visible externally. <Oops>. 

I will try and flip 556860 to externally visible.

Also, I hear that SRX platforms have been fixed already. Not sure of release.

Regards




-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Harry Reynolds
Sent: Thursday, April 26, 2012 3:26 PM
To: Chris Adams; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Forwarding IPv6 link-local packets?

Hey Chris. This is a known issue, tracked by internal pr 573100. I will flip that to externally visible so customers can see. 

Appears fixed only on trio as of 13.3. There was talk of a possible work around, as below, but not clear it was ever tested/confirmed:

<< possible WA:

why don't we install the link-local routes with a discard nexthop
(to match destination link-locals) and add a uRPF strict check to it
(to match source-link-locals) ?



-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Chris Adams
Sent: Thursday, April 26, 2012 1:58 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Forwarding IPv6 link-local packets?

I noticed some (anti-spoofing) IPv6 filter drops got logged, so I went
to track down the source of the problem.  Annoyingly, the source address
was a link-local address (although the destination addresses were on the
Internet).  I tracked down the source (only because I don't have a lot
of IPv6 traffic yet).

My question is this: why is a packet with a link-local source forwarded
at all?  I have uRPF enabled on the interface, but I guess since
fe80::/64 is considered a valid route for all IPv6 interfaces, uRPF
won't catch that.  Is there any practical way to turn off link-local
forwarding, other than to apply filters to every interface?

Or am I just missing something obvious?

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list